SSH public key authentication explained | NordVPN (2024)

What is SSH public key authentication?

Secure Shell (SSH) public key authentication is a method that allows a user device to pair with remote servers and systems using cryptographic key pairs. Once authenticated, the user device establishes an encrypted connection with the server for safe data transfer. SSH public key authentication provides resilient security against malicious attacks and account intrusions thanks to its two inherent parts:

• SSH, which is a cryptographic network protocol created for secure communication over an unsecured network. SSH provides strong encryption for sent data and is compatible with various authentication forms, including password-based and public key authentication.
• Public key authentication, which uses an asymmetric cryptographic algorithm to generate two cryptographic keys — private and public — to authenticate and connect devices. Cryptographic key pairs are a part of a public key infrastructure (PKI) that is considered superior to password authentication because of its resistance to brute force attacks and other phishing attempts.

When authentication with SSH keys is established, the user obtains their digital identity by generated private key. In contrast, its pair, a public key, is distributed among SSH-connected servers and systems the user wants to access. Once the SSH connection is established, the user doesn’t need to use a password to reach remote resources in the future — the authentication system can compare the cryptographic keys without the user’s involvement and connect them to the needed assets. However, the user can create a passphrase to unlock their private key for additional security. Afterward, they would need to provide it any time they want to authenticate their identity with SSH. In addition, SSH encrypts all the data sent between the user and the remote server.

SSH public key authentication allows for easier user identity and access management and can make automation processes smoother.

How does SSH public key authentication work?

SSH public key authentication works by generating a pair of cryptographic keys, one private and one public, that are exclusive to each other. They are used to identify users and grant them access to a particular SSH server or system. Both the user and SSH server use the public key to encrypt messages during the connection sessions. The user can choose to distribute their public key to as many servers, systems, and machines as they wish. Meanwhile, the private key is used to sign authentication messages sent by the SSH server and remains only with the user, safely stored on the device they use. As mentioned previously, the private key may also be protected with a passphrase for higher security.

Let’s take a more precise look at how SSH public key authentication works:

1. The user tries to access the resources stored in the SSH server and initiates a connection with it.
2. The server recognizes the user’s public key and creates a challenge — an algorithm of random numeric combinations of varying lengths.
3. The SSH server prompts the user, or rather the device the user employs for the connection, to sign the challenge using their private key. The private key is typically generated using the RSA, DSA, ECDSA, or EdDSA algorithms. The most widely used among them are RSA and ECDSA. If the user has set a passcode to their private key, now is the time for them to provide it.
4. The user’s device signs the challenge with their private key and returns it to the server.
5. The server checks the private key’s signature against its corresponding public key. If the private key is verified, the user is authenticated and can connect to the SSH server.

Once the remote server authenticates the user, their device establishes an encrypted tunnel with that server. That means that all the data sent between the two is encrypted before it gets into the tunnel and decrypted after exiting the tunnel on the other end.

SSH public key authentication provides a robust authentication process with an encrypted connection between the devices, allowing for better network security.

What are the benefits of using an SSH public key?

SSH public key authentication benefits include boosting the security of the connection between multiple systems and devices and providing a safer exchange of data between two remote ends over unsave networks. Below are some of the major benefits SSH public key infrastructure offers in more detail:

• Multiple logins. Multiple users can connect to the same SHH server or system using their public keys without sharing their login credentials with other users. In addition, SSH public key authentication allows the revocation of access to single-user accounts without compromising the access of the rest of the users.
• Enhanced security. SSH public key infrastructure provides strong authentication because its asymmetric encryption is complex and challenging for attackers to break. This type of authentication also doesn’t rely on sending passwords over the network, which lowers the risk of them being intercepted.
• Automation and scalability. SSH servers can store numerous public keys within their system, allowing companies to expand or reduce user access according to their needs. SSH public key authentication also accommodates single sign-on (SSO): The user can use the same public key to gain access across multiple servers.

How to generate an SSH public key

Users can generate SSH keys by themselves using the open-source suite OpenSSH. However, for the authentication to work properly, the remote system you will share your public key with must have the same version of SSH installed. You also need to have access to the remote system to transfer the generated public key. Below are instructions for creating your own SSH key pair using OpenSSH and an RSA algorithm for generating the private key.

Generate an SSH public key on Mac and Linux

Follow these instructions to generate SSH public and private keys on Mac and Linux operating systems:

1. Install OpenSSH onto your computer and open the SSH suite. Enter ssh-keygen -t rsa in the command line to generate RSA keys.
2. You’ll be asked to create a file name and passphrase for your private key to safeguard it.
   • Filename. You can accept the suggested default filename, which will look something like ~/.ssh/id_rsa, and your key pair file’s default location by pressing “Enter” or “Return.” You can also create your own filename. However, remote systems are typically configured to recognize and accept private keys with their default filenames. This means that introducing another filename may require additional steps. The following instructions will cover the process of establishing SSH key authentication using the default filename.
   • Passphrase. You can either create one or proceed without the passphrase. If you decide to use the passphrase, you’ll need to provide it every time you connect to the system with a corresponding public key. If you tap “Enter” and “Return” without entering the passphrase, your private key won’t have one. If you decide to create a passphrase, make sure it’s at least five characters long and then tap “Enter” or “Return.”
3. Once you decide on the filename for your key pair, the SSH suite will generate a private key using the filename and store it on your computer in the .ssh directory of your home directory. The system will also generate a corresponding public key using the same filename but with the .pub extension added, for instance, ~/.ssh/id_rsa.pub, and will store it in the same location on your computer as the private key.
4. Use the SSH file transfer protocol (SFTP) or SCP command line of the SSH suite to copy the public key file and place it in your account on the remote system, for instance: scp ~/.ssh/id_rsa.pub name@surname.com. Keep in mind that during this step, you’ll be asked to enter the credentials for your account on the remote system. Afterward, your public key will be saved in this new format in both your home directory and the remote system.
5. Log in to the remote system and check if it contains the ~/.ssh/authorized_keys file. If it doesn’t, use the command line to enter mkdir -p ~/.ssh and touch ~/.ssh/authorized_keys.
6. Now you should add the contents of your public key file (using the previous example — ~/id_rsa.pub) to the remote system. You should add them to a new line in your ~/.ssh/authorized_keys file, entering cat ~/id_rsa.pub >> ~/.ssh/authorized_keys in the command line.
7. After that, you can either delete your public key (~/id_rsa.pub) from your account on the remote system or keep it and move it to the remote system’s .ssh directory.
8. Using the ssh command, you can access your account on the remote system (name@host2.surname.com) from your computer (host1). If you’ve safeguarded your private key with a passphrase, you’ll be prompted to provide it.

Generate an ssh public key on Windows

Follow these instructions to generate SSH public and private keys on Windows10 or newer Windows operating systems:

1. Open the Windows command prompt window by typing cmd in the search box.
2. Type ssh-keygen in the prompt. The command will start to generate the SSH keys.
3. Tap “Enter” to save the keys in the default location or pick another location for the files.
4. The prompt will open, asking you to create and confirm the passphrase to secure the private key. Press “Enter” after creating the passcode. You can also go without creating a passphrase by leaving the field for the passphrase empty and pressing “Enter.”
5. Now, you’ll need to configure the remote system you want to connect to. First, check if it has a ~/.ssh folder by entering ls -l ~/.ssh/ in the command prompt. If you discover that the folder doesn’t exist, create it by entering mkdir ~/.ssh and changing its permissions to chmod 700 ~/.ssh.
6. Create a file and call it authorized_keys in the ~/.ssh directory by entering touch authorized_keys in the command prompt. Afterward, change the permissions to chmod 600 ~/.ssh/authorized_keys.
7. Open the authorized_keys file using a text editor and copy the public key contents into the authorized_keys file. Save and close the file.
8. Log in to the remote server from your computer using the command ssh @. A prompt will appear asking you to enter the passphrase for your private key if you created one. Afterward, the command will use SSH to let you access the remote server.

Conclusion

SSH public key authentication helps users to safely access remote servers, devices, and systems with as little input from the user as possible. Paired with SSH encryption, public key infrastructure allows for a secure connection and data transfer between devices, which then become more resilient to malicious attacks and unauthorized interceptions.